I have a problem with this mission, based on a theoretical issue of sending a pm to the boss.
In order to perfect a c.s., I'd need to trial-and-error it via sending multiple PMs to the boss. I would
think that after the 2nd attempt of perfecting a c.s., the boss would've clued in that I was doing
something not-so-kosher and alert security. Isn't this a little less 'realistic' to allow the
attemptee to do a trial-and-error on the boss' pm?
In an earlier message, someone mentioned of downloading the user database and then doing
what I assume to a brute-force attack on the admin's pw. is this an alternative?
First off, realistically speaking, you would first probably take what source code you can, and try to make a controlled environment of the site at first. Next, you would want to set up two test account, and insure proper syntax + the ability to cover your ass afterwards/in the process of. You would next try the syntax from one to the other, until perfected. If you can't manage to re-create the way the site works due to some missing files such as php, etc, then you would test it on the site itself with your two test accounts, while being anonymous.
As for the mission, I'm sure hackthissite, (even though they can) didn't want to block a user from trying to complete the challenge, after they fuxed up their code more than one time. You can't really compare hackthissite to other sites around the world. Hackthissite helps delve users into critical thinking, as well as demonstrates and teaches users how exploits work, through the process of real-time exploitation.
Now, I'm not sure what the other person is talking about, but the scenario went like so for me:
Send the "c.s.", and then for simplicity, hackthissite will provide you with the username/password, and the password will be encrypted. You have to find the value of that hash, and continue about the challenge.
Don't take your focus off of the c.s, you will need this to win. (At least from what I know)